b'SEPTEMBER 9, 2010\n  AUDIT REPORT\n\n\n\n\n                                                      OFFICE OF AUDITS\n\n\n\n\n     STATUS OF NASA\xe2\x80\x99S TRANSITION TO INTERNET\n            PROTOCOL VERSION 6 (IPV6)\n\n\n\n\n                                           OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                                      National Aeronautics and\n                                                          Space Administration\n\n\n\n\n  REPORT NO. IG-10-022 (ASSIGNMENT NO. A-09-017-00)\n\x0cFinal report released by:\n\n\n\n\nPaul K. Martin\nInspector General\n\n\n\n\nAcronyms\n\nARPANET      Advanced Research Projects Agency Network\nCIO          Chief Information Officer\nDNS          Domain Name System\nIP           Internet Protocol\nIPv4         Internet Protocol Version 4\nIPv6         Internet Protocol Version 6\nIT           Information Technology\nLAN          Local Area Network\nNISN         NASA Integrated Services Network\nNIST         National Institute of Standards and Technology\nOCIO         Office of the Chief Information Officer\nOMB          Office of Management and Budget\n\n\n                                                              REPORT NO. IG-10-022\n\x0cSEPTEMBER 9, 2010\n\n\n\n\n                                                                                          OVERVIEW\n\n                        STATUS OF NASA\xe2\x80\x99S TRANSITION TO\n                      INTERNET PROTOCOL VERSION 6 (IPV6)\n\n                                                                                            The Issue\n\n  Throughout its history, NASA has been at the forefront of Federal Government\n  information technology (IT) innovation. This includes early adoption of leading-edge\n  technologies such as cloud computing. Moreover, NASA is a leader in using the Internet\n  to communicate the importance of its programs to the public, and its Web environment\n  has evolved to become a cornerstone of the Agency\xe2\x80\x99s business processes.\n\n  Internet protocol (IP) is a communications protocol, or set of standard rules, used to\n  transmit data over the Internet. The most widely used protocol supporting the Internet\n  today is IP Version 4 (IPv4), which provides about 4.3 billion IP addresses for use\n  worldwide. Over the last 6 years, the demand for IP addresses has been steadily\n  accelerating due to the expansion of Internet usage worldwide and the advent of Internet-\n  capable devices such as mobile phones, car navigation systems, home appliances, and\n  industrial equipment. In May 2009, the Architecture and Infrastructure Committee of the\n  Federal Chief Information Officers Council reported that the IPv4 pool of addresses\n  would be exhausted by 2011 or 2012. In anticipation of the exhaustion of IPv4\n  addresses, in late 1990 the Internet Engineering Task Force selected IP Version 6 (IPv6)\n  as the successor to IPv4. IPv6 allows for an exponentially larger pool of addresses and is\n  seen as the only practical and readily available long-term solution to the impending\n  exhaustion of IPv4 addresses. 1 However, without adaptations, communications between\n  devices using IPv4 and IPv6 are not compatible. In addition, successful transition to the\n  new system is complex and requires detailed planning.\n\n  In 2005, the Office of Management and Budget (OMB) began issuing guidance to\n  Federal agencies relating to the transition to IPv6 so that they would be in a position to\n\n        \xe2\x80\xa2    take advantage of the expanded IP address space and embrace future-oriented\n             networking capabilities, such as converged communications, IP-aware medical\n             devices, and remote sensors and\n\n\n\n\n  1\n      IPv4 allows for approximately 4.3x109 addresses. IPv6 allows for approximately 3.4x1038 addresses.\n\n\n\nREPORT NO. IG-10-022\n\x0c                                                                                                         OVERVIEW\n\n\n\n            \xe2\x80\xa2   lead by example in U.S. enterprise IPv6 transformation. 2\n\n     The \xe2\x80\x9cPlanning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government,\xe2\x80\x9d\n     which defines the Federal Government\xe2\x80\x99s IPv6 plan and builds on requirements set forth\n     in OMB\xe2\x80\x99s guidance (M-05-22), was released in May 2009. Our objective in this audit\n     was to evaluate the status of NASA\xe2\x80\x99s efforts to plan for IPv6 transition and integration to\n     ensure appropriate implementation. Details of the audit\xe2\x80\x99s scope and methodology are in\n     Appendix A.\n\n     Results\n\n     NASA has taken preliminary steps to meet OMB requirements for IPv6 transition and\n     integration, including assigning a lead official in November 2005 to coordinate NASA\xe2\x80\x99s\n     efforts, developing inventories of IP-aware devices and an impact analysis, and in\n     June 2008 demonstrating IPv6 capability of one NASA network. However, as of March\n     2010 the Agency did not have an updated or complete IPv6 transition plan as required by\n     OMB. This occurred, in part, because the Agency has ample IPv4 addresses to meet its\n     current and future requirements and because the individual who was leading the IPv6\n     transition effort left NASA in November 2006 and no one has been assigned to replace\n     him. As a result, the Agency does not have adequate assurance that it has considered all\n     necessary transition elements or that the security and interoperability of its systems will\n     not be affected as other Government agencies and entities transition to IPv6.\n     Accordingly, even if NASA can continue meeting its communication needs using IPv4\n     addresses, it should ensure that its systems are prepared as other Internet users transition\n     to IPv6.\n\n     Management Action\n\n     We recommended that the NASA Chief Information Officer appoint an Agency official\n     to lead and reinvigorate its IPv6 transition planning efforts and ensure that it implements\n     key OMB planning requirements. In response to a draft of this report, the Chief\n     Information Officer concurred with our recommendation and stated that her office will\n     appoint an IPv6 lead to develop an IPv6 transition plan as required by OMB by\n     March 31, 2011 (see NASA\xe2\x80\x99s comments in Appendix F).\n\n     We consider the Chief Information Officer\xe2\x80\x99s proposed actions to be responsive to our\n     recommendation. Therefore, the recommendation is resolved and will be closed upon\n     verification that management has completed the corrective actions.\n     2\n         From \xe2\x80\x9cFederal Government Transition Internet Protocol Version 4 (IPv4) to Internet Protocol Version 6\n         (IPv6), Frequently Asked Questions,\xe2\x80\x9d February 15, 2006, available online at\n         http://www.cio.gov/documents/IPv6_FAQs.pdf (accessed May 19, 2010). This document provides\n         clarification to OMB Memorandum M-05-22, \xe2\x80\x9cTransition Planning for Internet Protocol Version 6\n         (IPv6),\xe2\x80\x9d August 2, 2005, which advised agencies to take specific actions to ensure an orderly and secure\n         transition to IPv6.\n\n\n\nii                                                                                         REPORT NO. IG-10-022\n\x0cSEPTEMBER 9, 2010\n\n\n\n\n                                                         CONTENTS\n\n  INTRODUCTION\n      Background __________________________________________ 1\n      Objective ____________________________________________ 6\n\n  RESULTS\n      Transition Planning Needs Improvement ___________________ 7\n\n  APPENDIX A\n      Scope and Methodology _______________________________ 15\n      Review of Internal Controls _____________________________ 17\n      Prior Coverage _______________________________________ 18\n\n  APPENDIX B\n      Glossary____________________________________________ 19\n\n  APPENDIX C\n      Guidance for Testing IPv6 Capabilities ____________________ 23\n\n  APPENDIX D\n      Requirements and Guidance for a Transition Plan ___________ 25\n\n  APPENDIX E\n      OMB M-05-22 _______________________________________ 28\n\n  APPENDIX F\n      Management Comments _______________________________ 31\n\n  APPENDIX G\n      Report Distribution ___________________________________ 34\n\n\n\n\nREPORT NO. IG-10-022\n\x0c\x0cSEPTEMBER 9, 2010\n\n\n\n\n                                                                                     INTRODUCTION\n\n\nBackground\n\n  The Internet is a network consisting of millions of private, public, academic, business,\n  and Government networks of local to global scope that are linked by a broad array of\n  electronic and optical networking technologies. NASA\xe2\x80\x99s Internet environment is a\n  mechanism for providing information about NASA to the public and a cornerstone of the\n  Agency\xe2\x80\x99s business processes. Recently, the NASA Chief Information Officer (CIO)\n  stated: \xe2\x80\x9cInformation technology at NASA has been, and will remain, a critical enabling\n  capability for the Agency, whether in NASA\xe2\x80\x99s main themes of Space Flight, Exploration,\n  Science, Aeronautics, and Mission Support, or any iteration thereof for the foreseeable\n  future.\xe2\x80\x9d This linkage between information technology (IT) and various aspects of the\n  Agency\xe2\x80\x99s mission underscores the importance of IT across the Agency.\n\n  The Internet began when a small research team, including the Defense Department\xe2\x80\x99s\n  Advanced Research Projects Agency and the Massachusetts Institute of Technology,\n  created the Advanced Research Projects Agency Network (ARPANET), the world\xe2\x80\x99s first\n  operational packet-switching network. Packet switching, the rapid store-and-forward\n  networking design, divides messages up into packets. 3 Routing decisions are made per\n  packet, making it possible for separate physical computer networks to form one logical\n  network.\n\n  The communications protocol, or set of standard rules, used to transmit data over the\n  Internet has evolved through the years. The Network Control Program was developed to\n  provide connections between processes running on different ARPANET host computers.\n  Application services, like e-mail or file transfer, were built on top of the Network Control\n  Program to handle connections to other host computers. In 1983, Transmission Control\n  Protocol and the Internet protocol (IP) replaced the Network Control Program and made\n  possible the connection of almost any computer network to ARPANET.\n\n  Addressing is a basic IP capability. The Internet, including NASA\xe2\x80\x99s Internet\n  environment, currently relies on IP Version 4 (IPv4) addresses to uniquely identify\n  devices on the network so that information can be transmitted from one device, such as a\n  computer, to another as illustrated in Figure 1.\n\n\n\n\n  3\n      A packet is a formatted unit of data, including source and destination addresses, which can be carried\n      over the Internet.\n\n\n\nREPORT NO. IG-10-022                                                                                           1\n\x0c                                                                                                INTRODUCTION\n\n\n\n    Figure 1. IP Source/Destination Example\n\n\n\n\n    Source: GAO Report, \xe2\x80\x9cInternet Protocol Version 6: Federal Agencies Need to Plan for\n    Transition and Manage Security Risks\xe2\x80\x9d (GAO-05-471, May 20, 2005).\n\n\n    IPv4 provides for a finite number of addresses ranging from 0.0.0.0 to 255.255.255.255.\n    See Figure 2 for an illustration of an IPv4 address.\n\n    Figure 2. An Illustration of an IPv4 Address\n\n\n\n\n    Source: TCP/IP Fundamentals for Microsoft Windows (2006).\n\n\n    Due to rapid population growth, mass-market broadband deployment, applications such\n    as Voice over Internet Protocol, the addition of network addressable devices such as\n    mobile phones and sensors to the Internet, and continuing cost reductions in technology\n    that have brought the Internet to large populations in developing economies, demand for\n    IPv4 addresses has been steadily accelerating. In light of this rapid worldwide growth,\n    the Architecture and Infrastructure Committee of the Federal Chief Information Officers\n    Council reported in May 2009 that the pool of IPv4 addresses would be exhausted by\n    2011 or 2012.\n\n    Foreseeing the eventual depletion of IPv4 addresses, the Internet technical community\n    took action to manage IPv4 addresses as a finite resource and to plan for the future by\n\n\n\n2                                                                                         REPORT NO. IG-10-022\n\x0cINTRODUCTION\n\n\n\n  developing a new addressing protocol, IP Version 6 (IPv6), also referred to as IP Next\n  Generation (IPng). 4\n\n  While IPv4 allows for 232 or 4,294,967,296 possible addresses, IPv6 allows for 2128 or\n  340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses (see\n  Figure 3). An example of an IPv6 address is\n  3FFE:2900:D005:0000:02AA:00FF:FE28:9C5A. See Figure 4 for an illustration of an\n  IPv6 address.\n\n  Figure 3. Comparison of IPv4 and IPv6 Addresses\n\n\n\n\n  Source: GAO Report, \xe2\x80\x9cInternet Protocol Version 6: Federal Agencies Need to Plan for\n  Transition and Manage Security Risks\xe2\x80\x9d (GAO-05-471, May 20, 2005).\n\n\n\n  Figure 4. An Illustration of an IPv6 Address\n\n\n\n\n  Source: TCP/IP Fundamentals for Microsoft Windows (2006).\n\n\n\n\n  4\n      The Internet Assigned Numbers Authority assigned version number 6 to IPng since version 5 was\n      reserved for an experimental protocol, \xe2\x80\x9cInternet Stream Protocol, Version 2 (ST2)\xe2\x80\x9d (see Appendix B for\n      details).\n\n\n\nREPORT NO. IG-10-022                                                                                           3\n\x0c                                                                                   INTRODUCTION\n\n\n\n    Several organizations manage and distribute IPv4 and IPv6 addresses:\n\n       \xe2\x80\xa2   The Internet Assigned Numbers Authority coordinates the global pool of IPv4 and\n           IPv6 addresses and provides them to five Regional Internet Registries. The\n           Internet Assigned Numbers Authority is one of the Internet\xe2\x80\x99s oldest institutions,\n           dating back to the 1970s. Today, the Internet Assigned Numbers Authority is\n           operated by the Internet Corporation for Assigned Names and Numbers.\n\n       \xe2\x80\xa2   The Regional Internet Registries manage and distribute public IPv4 and IPv6\n           addresses within their respective regions. The five Regional Internet Registries\n           are the African Network Information Center, Asia Pacific Network Information\n           Centre, American Registry for Internet Numbers, Latin American and Caribbean\n           Internet Addresses Registry, and R\xc3\xa9seaux IP Europ\xc3\xa9ens Network Coordination\n           Centre.\n\n       \xe2\x80\xa2   The American Registry for Internet Numbers, a Regional Internet Registry, is a\n           non-profit membership organization established for the administration and\n           distribution of IP addresses in the United States, Canada, and many Caribbean\n           and North Atlantic islands.\n\n    NASA officials estimate that the American Registry for Internet Numbers assigned about\n    4 million IPv4 addresses to NASA. In March 2010, NASA was using approximately\n    203,000 IPv4 addresses and holding in reserve approximately 434,000 IPv4 addresses for\n    network design, network configuration, and other needs. As a result, with more than 3.3\n    million unused IPv4 addresses, NASA officials said they do not believe that the Agency\n    will exhaust its supply of IPv4 addresses or need to begin using IPv6 addresses in the\n    near future.\n\n    However, the Internet Assigned Numbers Authority and the American Registry for\n    Internet Numbers have warned that many new Internet computing devices will have IPv6\n    addresses by the end of 2011. Therefore, it is vital that the networks used to transfer data\n    over the Internet, including NASA\xe2\x80\x99s systems, are capable of supporting IPv6.\n\n\n\n\n4                                                                           REPORT NO. IG-10-022\n\x0cINTRODUCTION\n\n\n\n  OMB Requirements and Guidance. Office of Management and Budget (OMB)\n  Memorandum M-05-22, \xe2\x80\x9cTransition Planning for Internet Protocol Version 6 (IPv6),\xe2\x80\x9d\n  August 2, 2005, was OMB\xe2\x80\x99s first policy memorandum to agencies to ensure an orderly\n  and secure transition to IPv6. The OMB policy included the following deadlines for\n  required agency actions: 5\n\n        November 15, 2005\n             \xe2\x80\xa2 Assign an official to lead and coordinate agency planning efforts for IPv6\n               transition.\n             \xe2\x80\xa2 Complete an inventory of existing routers, switches, and hardware firewalls\n               (IP-aware hardware devices in the agency\xe2\x80\x99s infrastructure, also called the\n               network backbone).\n\n        February 2006\n             \xe2\x80\xa2 Using guidance to be issued by the Architecture and Infrastructure Committee\n               of the Federal Chief Information Officers Council, 6 address each of the actions\n               identified in Attachment C of the OMB policy (including conducting a\n               requirements analysis to identify current scope of IPv6 within an agency,\n               current challenges using IPv4, and target requirements) and provide the\n               completed IPv6 transition plan as part of the agency\xe2\x80\x99s enterprise architecture\n               submission to OMB.\n\n        June 30, 2006\n             \xe2\x80\xa2 Complete an inventory of existing IP-aware devices and technologies that are\n               components of the agency infrastructure but were not included in the first\n               inventory.\n             \xe2\x80\xa2 Complete an impact analysis of fiscal and operational impacts and risks related\n               to the transition to IPv6.\n\n        June 30, 2008\n             \xe2\x80\xa2 All agency infrastructures must be capable of successfully passing IPv6 data\n               traffic and supporting IPv6 addresses. Agency networks also must be able to\n               communicate with this infrastructure.\n\n  In addition, the OMB policy recommended that all new IT procurements be\n  IPv6 compliant \xe2\x80\x93 that is, able to receive, process, and transmit or forward (as appropriate)\n\n  5\n      See M-05-22 in Appendix E for the original language of the required actions. We reworded the\n      requirements in this report for clarity based on information subsequently issued by OMB and the\n      Architecture and Infrastructure Committee of the Federal Chief Information Officers Council.\n  6\n      The Architecture and Infrastructure Committee of the Federal Chief Information Officers Council issued\n      \xe2\x80\x9cIPv6 Transition Guidance\xe2\x80\x9d in February 2006. In May 2009, it issued \xe2\x80\x9cPlanning Guide/Roadmap\n      Toward IPv6 Adoption within the U.S. Government.\xe2\x80\x9d\n\n\n\nREPORT NO. IG-10-022                                                                                           5\n\x0c                                                                                             INTRODUCTION\n\n\n\n    packets of IPv6 data \xe2\x80\x93 to the maximum extent practicable to avoid additional costs in the\n    future. The OMB memorandum also recommended that agency products or systems be\n    able to interoperate with systems using either the IPv4 or IPv6 addressing convention.\n\n    To address the many questions concerning IPv6 generated by its August 2005 policy, in\n    February 2006, OMB published \xe2\x80\x9cFederal Government Transition Internet Protocol\n    Version 4 (IPv4) to Internet Protocol Version 6 (IPv6), Frequently Asked Questions.\xe2\x80\x9d 7\n    The document addressed questions about the scope of agencies\xe2\x80\x99 IPv6 efforts, the\n    inventory submissions, and the transition plan each agency was to submit to OMB in\n    February 2006.\n\n    In May 2009, OMB released the \xe2\x80\x9cPlanning Guide/Roadmap Toward IPv6 Adoption\n    within the U.S. Government\xe2\x80\x9d (the IPv6 Planning Guide), which sets out the Federal\n    Government\xe2\x80\x99s movement toward adopting IPv6 and builds on the requirements in the\n    August 2005 OMB policy. In OMB\xe2\x80\x99s memorandum announcing the release of the\n    Planning Guide, OMB recommends that agencies\n\n          \xe2\x80\xa2    use their enterprise architecture and capital planning activities to plan for the\n               deployment of IPv6-enabled 8 network services, show how they intend to use\n               these services to power IPv6-enabled applications, commit to specific\n               measureable improvements in agency performance, and reflect these\n               improvements in their investment proposals;\n          \xe2\x80\xa2    leverage the guidance milestones provided in the IPv6 Planning Guide to develop\n               an effective transition plan;\n          \xe2\x80\xa2    set up test laboratories and prototype networks to acquire IPv6 experience and\n               expertise; and\n          \xe2\x80\xa2    deploy secure IPv6-enabled network services during regular technology upgrade\n               cycles.\n\n\nObjective\n\n    Our objective was to evaluate NASA\xe2\x80\x99s efforts and plans for IPv6 transition and\n    integration. We reviewed the Agency\xe2\x80\x99s implementation of planning requirements for\n    IPv6 transition in accordance with the August 2005 OMB policy and the status of\n    NASA\xe2\x80\x99s progress with IPv6 integration since the May 2009 release of the IPv6 Planning\n    Guide. We also evaluated the effectiveness of NASA\xe2\x80\x99s IT security controls for devices\n    configured to enable IPv6. See Appendix A for details of the audit\xe2\x80\x99s scope and\n    methodology, our review of internal controls, and a list of prior coverage. See\n    Appendix B for a glossary of selected terms.\n\n    7\n        Available online at http://www.cio.gov/documents/IPv6_FAQs.pdf (accessed May 19, 2010).\n    8\n        OMB defines \xe2\x80\x9cIPv6 enabled\xe2\x80\x9d as meaning that IPv6 is being used (see Appendix B).\n\n\n\n6                                                                                    REPORT NO. IG-10-022\n\x0cRESULTS\n\n\n\n\n                                                      TRANSITION PLANNING NEEDS\n                                                                   IMPROVEMENT\n\n             NASA took preliminary steps in 2004\xe2\x80\x932010 for IPv6 transition and integration that\n             were consistent with the OMB guidance. However, since that time NASA has not\n             continued with active IPv6 planning and has not fully implemented OMB\xe2\x80\x99s planning\n             requirements for transition to IPv6. Without adequate planning, NASA may\n             encounter interoperability and security challenges when other parts of the Federal\n             Government and the worldwide IT community transition to IPv6. As a result, NASA\n             could find itself unprepared to securely communicate using IPv6.\n\n\nNASA Has Taken Preliminary Steps for Transition and Integration\n\n  NASA has taken preliminary steps to meet OMB requirements for IPv6 transition and\n  recommendations for integration that included the following actions:\n\n  Assigning a Lead. According to officials in the NASA Office of the Chief Information\n  Officer (OCIO), in 2005 the NASA Deputy CIO was designated as the official to lead\n  and coordinate planning for IPv6 transition. The Deputy CIO was actively involved with\n  the IPv6 working group sponsored by the Architecture and Infrastructure Committee of\n  the Federal Chief Information Officers Council. However, since he left the Agency in\n  November 2006, no other official has been assigned to lead NASA\xe2\x80\x99s IPv6 transition\n  effort.\n\n  Developing Inventories and an Impact Analysis. According to OMB, all Federal\n  agencies, including NASA, were required to meet the November 15, 2005, deadline for\n  completing an \xe2\x80\x9cinventory of existing routers, switches, and hardware firewalls\xe2\x80\x9d and the\n  June 30, 2006, deadline for completing an \xe2\x80\x9cinventory of existing IP compliant devices\n  and technologies not captured in first inventory.\xe2\x80\x9d OMB also required agencies to\n  complete an \xe2\x80\x9cimpact analysis of fiscal and operational impacts and risks\xe2\x80\x9d related to IPv6\n  transition by June 30, 2006. We were unable to assess NASA\xe2\x80\x99s inventories or impact\n  analysis because the Agency could not provide us with copies of these documents. 9\n  However, we were able to verify that NASA OCIO had issued two data calls to the\n  NASA Centers requesting the inventory information required by OMB, and we\n  confirmed that the inventory information requested was consistent with OMB\n  requirements. We also confirmed that six Centers 10 provided the requested information\n\n\n\n  9\n      NASA OCIO did not retain copies of the submissions and was unable to obtain copies from OMB.\n  10\n       Ames Research Center, Dryden Flight Research Center, Glenn Research Center, Kennedy Space Center,\n       Marshall Space Flight Center, and Stennis Space Center.\n\n\n\nREPORT NO. IG-10-022                                                                                       7\n\x0c                                                                                                             RESULTS\n\n\n\n    and that two Centers 11 prepared impact analyses. However, without reviewing NASA\xe2\x80\x99s\n    submissions, we could not assess their quality or completeness.\n\n    Amending the Federal Register. In August 2006, NASA, the General Services\n    Administration, and the Department of Defense published a proposed rule in the Federal\n    Register to amend the Federal Acquisition Regulation \xe2\x80\x9cto ensure that all new IT\n    acquisitions using Internet Protocol are IPv6 compliant.\xe2\x80\x9d This proposed rule was\n    finalized on December 10, 2009. NASA OCIO officials stated that all NASA Centers\n    were notified of the final rule and that IT contracts created after that date should be in\n    compliance.\n\n    Demonstrating Capability. NASA developed an IPv6 Demonstration Plan 12 and, in\n    June 2008, successfully demonstrated IPv6 capability on the NASA Integrated Services\n    Network (NISN) corporate backbone through the core Standard IP (SIP) routers. NASA\n    determined the IPv6 accessibility of 12 core routers by using a utility to send a data\n    packet to 12 IPv6 addresses and successfully receiving a reply. See Appendix C for the\n    specific guidance we used to determine NASA\xe2\x80\x99s compliance with this requirement.\n\n    We also reviewed the certification and accreditation documentation and a vulnerability\n    scan for the NISN corporate backbone. We found that security controls were generally\n    effective for the 12 core routers that are IPv6-enabled.\n\n    Acquiring IPv6 Experience. We found that NISN engineers tested IPv6 functionality\n    on the NASA Prototyping Network, a network laboratory environment used to test new\n    technologies, protocols, and pre-operational equipment before deployment to the\n    production network. For example, one test performed in 2004 on the NASA Prototyping\n    Network showed that IPv6 would work with IPv4 using the dual-stack transition\n    mechanism, 13 in which the network was configured to support IPv4 and IPv6\n    concurrently. Tests were conducted using network utilities common to IPv4 and IPv6.\n    NISN engineers also used the NASA Prototyping Network to test security of the IPv6\n    control plane \xe2\x80\x93 the services, settings, and data streams that support the dynamic operation\n    and traffic handling of routers \xe2\x80\x93 with the network running IPv6 (IPv6 enabled). 14\n\n    These preliminary steps, while providing some assurance that NASA can adapt to the\n    IPv6 transition, are not sufficient to ensure that NASA will be able to continue to\n    effectively communicate over the Internet with the public, other Government agencies,\n    and its worldwide partners when they transition to IPv6. The 2004 test noted that further\n    11\n         Kennedy Space Center and Marshall Space Flight Center.\n    12\n         \xe2\x80\x9cNational Aeronautics and Space Administration (NASA) Agencywide IPv6 - Demonstration Plan,\xe2\x80\x9d\n         June 6, 2008.\n    13\n         See Appendix B\xe2\x80\x99s entries for dual-stack and transition mechanism.\n    14\n         The control plane supports the dynamic state of the router: the routing tables, access logs, traffic\n         statistics, and cryptographic associations. If an attacker can inject control plane information into your\n         router, then the attacker can exercise some control over packet forwarding, expose traffic to interception,\n         and prevent effective communication among networks and hosts.\n\n\n\n8                                                                                           REPORT NO. IG-10-022\n\x0cRESULTS\n\n\n\n  testing was needed for interoperability (as discussed on page 10), which has not yet been\n  conducted. In addition, although the NISN corporate backbone was tested, NASA has\n  not assessed whether testing is needed on other systems, such as mission systems.\n\n\nIPv6 Transition Efforts Have Stalled\n\n  While NASA has taken a number of preliminary steps for transitioning to IPv6, its efforts\n  have stalled partly because the individual assigned to lead the Agency\xe2\x80\x99s transition effort\n  left NASA in November 2006 and another official has yet to be assigned. In addition,\n  NASA has no sense of urgency on this issue because, as previously discussed, the\n  Agency has ample IPv4 addresses available to meet its current and future requirements\n  and therefore does not anticipate that it will be using IPv6 addresses in the foreseeable\n  future. We believe NASA needs to reinvigorate its IPv6 planning efforts because,\n  regardless of NASA\xe2\x80\x99s ample supply of IPv4 addresses, other users are beginning to use\n  IPv6 addresses, and the transition to IPv6 is more complex than previous advances in\n  Internet technology and requires detailed planning. At the time of the adoption of IPv4,\n  there were less than 500 hosts connected to the Internet, a relatively small community of\n  technical specialists was involved, and the Internet was operating in a non-commercial\n  environment. By 2008, over 500 million hosts were connected to the Internet and 1.32\n  billion users had Internet access. These numbers and the associated technical\n  complexities will only continue to increase as Internet users transition to IPv6.\n\n\nNASA Needs to Improve Its Transition Planning\n\n  As of March 2010, NASA did not have an updated or complete IPv6 transition plan as\n  required by OMB. As a result, the Agency does not have adequate assurance that it has\n  considered all elements necessary to achieve a successful transition to IPv6. Among the\n  challenges identified by the Architecture and Infrastructure Committee that agencies\n  should consider is the need to maintain interoperability and security during transition, as\n  well as manage the IPv6 standards and product evolution.\n\n  Updated Transition Plan\n\n  During our audit, NASA officials provided an IPv6 transition plan that had been in draft\n  since April 2007 and that did not reflect transition elements required by OMB policy.\n  OMB called for agencies to complete their IPv6 transition plans using guidance issued by\n  the Architecture and Infrastructure Committee of the Federal Chief Information Officers\n  Council in February 2006. This guidance outlined 17 elements agencies should consider\n  to ensure all transition elements had been examined (see Appendix D). Although the\n  guidance did not require that agency plans include all of the elements, 11 of the 17 are\n\n\n\n\nREPORT NO. IG-10-022                                                                            9\n\x0c                                                                                                                 RESULTS\n\n\n\n     required. 15 However, NASA\xe2\x80\x99s draft IPv6 transition plan does not include any of the\n     11 elements, although some of the elements were addressed by NASA\xe2\x80\x99s successful\n     demonstration of IPv6 capability on the NISN corporate backbone and by NISN IPv6\n     testing in 2004, 2005, and 2010. The following paragraphs describe five unaddressed\n     elements that we believe NASA needs to consider to promote an orderly and secure\n     transition to IPv6.\n\n     Transition Priorities and Activities. NASA\xe2\x80\x99s draft IPv6 transition plan does not\n     identify transition priorities or activities 16 for networks other than the NISN corporate\n     backbone. Rather, the draft plan states only that the Agency\xe2\x80\x99s mission networks (e.g., the\n     Integrated Operations Network and the Network Service Assurance Plan network) would\n     be included in the Agency\xe2\x80\x99s long-term IPv6 transition strategy.\n\n     The 2009 IPv6 Planning Guide identifies priorities to help agencies in their transition:\n\n                 External facing eCommerce servers, mail gateways, instant messaging servers, Web\n                 servers, and voice over IP gateways hosting portals for remote clients, teleworkers,\n                 partner agencies, and group collaboration all have to serve content across the Internet\n                 backbone to external hosts. Because of IPv4 address depletion and its effect on core\n                 routing, applications that rely on the Internet core for transport to external hosts\n                 should upgrade first to IPv6-capable versions by 2010.\n\n     The IPv6 Planning Guide states that the second wave of upgrades should include host\n     interfaces, such as Web servers and e-mail clients, that will connect to external servers.\n     The final upgrade includes \xe2\x80\x9cinternal facing systems in an Enterprise LAN [local area\n     network], as these systems can continue to rely on IPv4 NAT [Network Address\n     Translation] 17 addresses for some time.\xe2\x80\x9d Without transition priorities and activities, the\n     Agency cannot determine the impact of the transition or the order in which networks will\n     get funding for upgrade.\n\n     Interoperability and Security. NASA\xe2\x80\x99s draft IPv6 transition plan does not include a\n     plan for maintenance of interoperability and security during the transition from IPv4 to\n     IPv6. IPv6 transition challenges include maintaining dual IPv4 and IPv6 environments\n     for an extended period, interfacing with partners in various stages of the transition, and\n     managing information security in an environment more vulnerable to threats. The key to\n     a successful IPv6 transition is interoperability with IPv4 hosts and routers already in\n     existence. For IPv6 hosts and routers to interoperate with IPv4 hosts and routers, the\n     IPv6 equipment must have a transition mechanism such as dual-stack or tunneling. 18\n     One test performed in 2004 on the NASA Prototyping Network concluded that further\n\n     15\n          The Architecture and Infrastructure Committee\xe2\x80\x99s 2009 IPv6 Planning Guide required 11 elements to be\n          included.\n     16\n          Both elements \xe2\x80\x93 transition activities and transition priorities \xe2\x80\x93 are included in the guidance listed in\n          Appendix D.\n     17\n          See Appendix B for details about network address translation.\n     18\n          A mechanism that allows an IPv6 packet to travel through an IPv4 network (see Appendix B).\n\n\n\n10                                                                                             REPORT NO. IG-10-022\n\x0cRESULTS\n\n\n\n  testing was needed for the tunneling mechanism: \xe2\x80\x9cUntil IPv6 has more widespread\n  application support, it will be difficult to deploy IPv6 without some method of tunneling\n  with IPv4.\xe2\x80\x9d\n\n  In addition to interoperability issues, IPv6 introduces new security threats. The National\n  Institute of Standards and Technology (NIST) USGv6 Profile 19 concluded that the\n  \xe2\x80\x9ccurrent state of IPv6 security and network protection technologies and operational\n  knowledge lags behind that of IPv4 and the existing Internet.\xe2\x80\x9d The IPv6 Planning Guide\n  recommends steps for agencies to consider with regard to security, including\n  development of a comprehensive IPv6 security plan and associated IPv6 policies within\n  the IPv6 addressing rollout plan, upgrading network protection devices/tools for IPv6\n  support, and expanding core and perimeter boundary monitoring to incorporate IPv6 and\n  IPv6-in-IPv4 tunnels. NASA has not completed any of these steps.\n\n  IPv6 Standards and Products. A fourth element not addressed in NASA\xe2\x80\x99s draft IPv6\n  transition plan is the use of IPv6 standards and products. While the base set of IPv6\n  protocols are stable and mature, many of the Internet standards supporting IPv6 features\n  and IPv6 products in development are still evolving. With evolving IPv6 standards,\n  challenges exist with acquiring IPv6-compliant products that will ensure interoperability\n  and security. The NIST USGv6 Profile recommends a technology acquisition profile for\n  common IPv6 devices in U.S. Government IT systems. However, NASA has not decided\n  how to ensure compliance with the NIST USGv6 Profile.\n\n  Governance. The fifth element not addressed in NASA\xe2\x80\x99s draft IPv6 transition plan is\n  transition governance, including Agency policy and roles and responsibilities. The NIST\n  USGv6 Profile states:\n\n             Beyond being much larger (128bit vs. 32bit), the IPv6 addressing architecture makes\n             for the clear definition of multiple types of addresses (e.g., link-local, global,\n             multicast, anycast) and multiple scopes of addresses (e.g., global, local, link).\n\n             Any adoption and deployment of IPv6 requires the development of an addressing\n             plan. There are many significant issues associated with strategies for IPv6 address\n             allocation and assignment.\n\n  In addition, the IPv6 Planning Guide recommends a list of specific procedures for IP\n  address management and allocation that includes (a) assessing existing IP address\n  management and allocation governance and procedures and (b) developing and\n  promulgating new/revised IPv6 address management and allocation governance\n  including requirements, guidance, policy, procedures, and reporting. As of May 2010,\n  NASA officials said they were working on but had not finalized an IP addressing plan.\n  As NASA\xe2\x80\x99s international partners and others around the world transition to IPv6, NASA\n\n\n  19\n       NIST Special Publication 500-267, \xe2\x80\x9cA Profile for IPv6 in the U.S. Government \xe2\x80\x93 Version 1.0,\xe2\x80\x9d\n       July 2008.\n\n\n\nREPORT NO. IG-10-022                                                                                  11\n\x0c                                                                                                 RESULTS\n\n\n\n     must have adequate guidance in place to ensure that its network managers can continue to\n     securely meet NASA\xe2\x80\x99s needs.\n\n     No Lead for Continued Planning\n\n     As of March 2010, NASA\xe2\x80\x99s IPv6 transition plan had not been updated or completed,\n     primarily because NASA had not reassigned these responsibilities in the nearly 4 years\n     since the last official with responsibility for IPv6 planning left the Agency. NASA\n     officials said they have not assigned a new IPv6 lead because the Agency has more than\n     3.3 million unused IPv4 addresses and therefore no current need for IPv6. 20\n\n     In our judgment, NASA should make planning for IPv6 transition more of a priority\n     because even if NASA continues to use IPv4 addresses, other Internet users will begin\n     using IPv6 addresses in the near future and NASA must be prepared to ensure the\n     security and interoperability of its systems in this new environment.\n\n\nRecommendation, Management\xe2\x80\x99s Response, and Evaluation of\n  Management\xe2\x80\x99s Response\n\nTo ensure that NASA systems are interoperable and secure as Federal Government agencies\nand other organizations transition to IPv6, we recommended that the NASA CIO assign an\nIPv6 lead to complete an updated IPv6 transition plan that considers transition elements\nidentified by the Architecture and Infrastructure Committee of the Federal Chief\nInformation Officers Council in the \xe2\x80\x9cIPv6 Planning Guide/Roadmap Toward IPv6 Adoption\nwithin the U.S. Government.\xe2\x80\x9d\n\n     Management\xe2\x80\x99s Response. The CIO concurred with our recommendation and stated that\n     she will appoint an IPv6 lead by September 30, 2010, to review the OMB requirements\n     and develop a compliant IPv6 transition plan. The CIO stated that this transition plan\n     will be completed by March 31, 2011.\n\n     Evaluation of Management\xe2\x80\x99s Response. We consider the CIO\xe2\x80\x99s proposed actions to be\n     responsive to our recommendation. Therefore, the recommendation is resolved and will\n     be closed upon verification that the proposed actions have been completed.\n\n     In addition to responding to our recommendation, the CIO suggested a number of minor\n     revisions to the draft report. Specifically, she suggested that we add the word\n     \xe2\x80\x9ccorporate\xe2\x80\x9d to our references to the NISN Backbone, noted an apparent discrepancy in\n     the number of elements discussed under the heading \xe2\x80\x9cNASA Needs to Improve Its\n     Transition Planning,\xe2\x80\x9d questioned whether the report should reference the Space Network\n     and the Ground Network, and clarified an official\xe2\x80\x99s title (see Appendix F for the full text\n     of management\xe2\x80\x99s comments).\n     20\n          As discussed on page 9, NASA has ample IPv4 addresses to meet its needs.\n\n\n\n12                                                                                   REPORT NO. IG-10-022\n\x0cRESULTS\n\n\n\n  We used the term \xe2\x80\x9cNISN Backbone\xe2\x80\x9d in the draft because that was the term used in the\n  certification and accreditation documentation provided to us by NASA. However, we\n  made the change suggested by the CIO for clarification purposes. In addition, although\n  there are only four subheadings in the Transition Planning section, we discuss five\n  elements; two elements, transition priorities and transition activities, are combined in one\n  heading. In response to the CIO\xe2\x80\x99s comments, we added a footnote to clarify this point.\n  Finally, we included the Space and Ground Networks in our report because they were\n  referenced in NASA\xe2\x80\x99s draft IPv6 transition plan. Based on the clarification from the\n  CIO, we deleted the references to those networks in the final report. We also corrected\n  the official\xe2\x80\x99s title, to the Associate CIO for Architecture and Infrastructure.\n\n\n\n\nREPORT NO. IG-10-022                                                                             13\n\x0c\x0cAPPENDIXES\n\n\n\n\n                                                                         APPENDIX A\n\n\nScope and Methodology\n\n  We performed this audit from September 2009 through July 2010 in accordance with\n  generally accepted government auditing standards. Those standards require that we plan\n  and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\n  basis for our findings and conclusions based on our audit objectives. We believe that the\n  evidence obtained provides a reasonable basis for our findings and conclusions based on\n  our audit objectives. We performed our audit at Kennedy Space Center, Marshall Space\n  Flight Center, and NASA Headquarters.\n\n  To assess implementation of key planning requirements for IPv6 transition, we reviewed\n  transition and integration requirements and guidelines in the following documents:\n\n      \xe2\x80\xa2   OMB Memorandum M-05-22, \xe2\x80\x9cTransition Planning for Internet Protocol\n          Version 6 (IPv6),\xe2\x80\x9d August 2, 2005;\n\n      \xe2\x80\xa2   OMB Memorandum, \xe2\x80\x9cRelease of the Planning Guide/Roadmap toward IPv6\n          Adoption within the US Government,\xe2\x80\x9d May 20, 2009;\n\n      \xe2\x80\xa2   Architecture and Infrastructure Committee, Federal Chief Information Officers\n          Council, \xe2\x80\x9cIPv6 Transition Guidance,\xe2\x80\x9d February 2006;\n\n      \xe2\x80\xa2   Architecture and Infrastructure Committee, Federal Chief Information Officers\n          Council, \xe2\x80\x9cDemonstration Plan to Support Agency IPv6 Compliance,\xe2\x80\x9d January 28,\n          2008; and\n\n      \xe2\x80\xa2   Architecture and Infrastructure Committee, Federal Chief Information Officers\n          Council, \xe2\x80\x9cPlanning Guide/Roadmap Toward IPv6 Adoption within the\n          U.S. Government,\xe2\x80\x9d May 2009.\n\n  We interviewed personnel from the NASA OCIO, the Marshall Space Flight Center\n  OCIO, the Kennedy Space Center OCIO, and NISN. Officials interviewed included the\n  NASA OCIO Enterprise Architect, the Associate CIO for Architecture and Infrastructure,\n  Marshall\xe2\x80\x99s Deputy CIO, Kennedy\xe2\x80\x99s Network Engineer, the NISN Service Owner for\n  Corporate Routed Data Service, and the NISN Network Engineer.\n\n  NASA OCIO officials could not provide the inventory or impact analysis submitted to\n  OMB in November 2005 and June 2006. NASA OCIO officials stated that the\n  documents had been lost due to changes in personnel, and the officials were unable to\n  obtain copies from OMB. OMB did issue a statement that all agencies had met the\n\n\nREPORT NO. IG-10-022                                                                          15\n\x0c                                                                                     APPENDIX A\n\n\n\n     June 2008 deadline. Lacking those documents, we were unable to verify whether\n     NASA\xe2\x80\x99s submissions to OMB were complete and accurate.\n\n     To identify actions taken to complete inventories and the impact analysis as required by\n     OMB M-05-22, we obtained the following NASA OCIO action registry items with\n     requirements for the Center OCIOs:\n\n        \xe2\x80\xa2   Action Registry EA-12, \xe2\x80\x9cActions for Transition Planning for Agency Internet\n            Version 6 (IPv6),\xe2\x80\x9d required Centers to complete the first inventory due to OMB\n            by November 2005. Action Registry EA-12 provided the Centers with a copy of\n            the \xe2\x80\x9cIPv6 Transition Checklist\xe2\x80\x9d (Attachment A of OMB M-05-22) to complete\n            the first inventory.\n\n        \xe2\x80\xa2   Action Registry EA-25, \xe2\x80\x9cAction: IPv6 implementation activities related to\n            enterprise architecture submissions to OMB that are due February 15, 2006,\xe2\x80\x9d\n            required Centers to complete the \xe2\x80\x9cIPv6 Transition Checklist\xe2\x80\x9d for all IP devices\n            not captured in the first inventory. Action Registry EA-25 also requested that the\n            Centers provide input for completion of Attachment B, \xe2\x80\x9cImpact Analysis,\xe2\x80\x9d of\n            OMB M-05-22.\n\n        \xe2\x80\xa2   Action Registry EA-29, \xe2\x80\x9cAction: IPv6 Transition Planning activities to be\n            completed by June 30, 2006,\xe2\x80\x9d required Centers to complete the inventories of\n            IP-aware applications and peripherals with dependencies on the network\n            backbone and complete an impact analysis.\n\n     To obtain inventory lists submitted to the NASA OCIO, we contacted 10 NASA Center\n     OCIOs: (1) Ames Research Center, (2) Dryden Flight Research Center, (3) Glenn\n     Research Center, (4) Goddard Space Flight Center, (5) the Jet Propulsion Laboratory,\n     (6) Johnson Space Center, (7) Kennedy Space Center, (8) Langley Research Center,\n     (9) Marshall Space Flight Center, and (10) Stennis Space Center. We obtained and\n     reviewed the completed OMB \xe2\x80\x9cIPv6 Transition Checklist,\xe2\x80\x9d which includes inventory\n     reported to the NASA OCIO, from 6 Centers: Ames, Dryden, Glenn, Kennedy, Marshall,\n     and Stennis. These inventories, if unchanged by the NASA OCIO, would have provided\n     the inventory information required for the OMB submissions. Two Centers, Johnson and\n     Goddard, were unable to find a record of their submission; we did not receive a response\n     from the Jet Propulsion Laboratory or Langley.\n\n     We also reviewed the following submissions to the NASA OCIO from the OCIOs at\n     Kennedy and Marshall:\n        \xe2\x80\xa2   Impact Analysis, \xe2\x80\x9cIP Version 6 Transition Initial Draft\xe2\x80\x9d (Kennedy).\n        \xe2\x80\xa2   Impact Analysis, \xe2\x80\x9cMission Support Network\xe2\x80\x9d (Marshall).\n        \xe2\x80\xa2   Impact Analysis, \xe2\x80\x9cNational Space Science Technology Center\xe2\x80\x9d (Marshall).\n        \xe2\x80\xa2   Impact Analysis, \xe2\x80\x9cHuntsville Operations Support Center\xe2\x80\x9d (Marshall).\n\n\n16                                                                         REPORT NO. IG-10-022\n\x0cAPPENDIX A\n\n\n\n      \xe2\x80\xa2   Impact Analysis, \xe2\x80\x9cCIO \xe2\x80\x93 LAN [Local Area Network] Technical Refresh\xe2\x80\x9d\n          (Marshall).\n\n  To assess the status of NASA efforts and plans to move forward with IPv6 integration\n  since OMB announced the release of the IPv6 Planning Guide on May 20, 2009, we\n  interviewed the NASA OCIO Enterprise Architect, the Associate CIO for Architecture\n  and Infrastructure, Marshall\xe2\x80\x99s Deputy CIO, Kennedy\xe2\x80\x99s Network Engineer, the NISN\n  Service Owner for Corporate Routed Data Service, and the NISN Network Engineer. To\n  determine whether NASA implemented the final rule in the Federal Register to amend\n  the Federal Acquisition Regulation \xe2\x80\x9cto ensure that all new IT acquisitions using Internet\n  Protocol are IPv6 compliant,\xe2\x80\x9d we interviewed the Kennedy Procurement Director. We\n  did not review enterprise architecture or capital planning and investment control\n  activities.\n\n  To evaluate the effectiveness of controls and processes for devices configured to enable\n  IPv6, we reviewed the certification and accreditation documentation for the NISN\n  corporate backbone. In November 2009, the NISN Network Engineer identified 12 core\n  routers that had been configured to enable IPv6. These 12 core routers were part of the\n  NISN corporate backbone, which included 381 routers, switches, and servers.\n  SecureInfo Corporation, an independent third-party contractor, certified the NISN\n  corporate backbone in August 2009. We accepted SecureInfo\xe2\x80\x99s determination that an\n  adequate level of information system security existed to protect the information\n  processed by the NISN corporate backbone. SecureInfo\xe2\x80\x99s certification included a review\n  of controls from NIST Special Publication 800-53, Revision 2, \xe2\x80\x9cRecommended Security\n  Controls for Federal Information Systems,\xe2\x80\x9d and a vulnerability scan using McAfee\n  Foundstone.\n\n  Use of Computer-Processed Data. We did not assess the reliability or validity of the\n  data produced by McAfee Foundstone, because it is a widely used tool approved by\n  NASA for vulnerability scanning. In addition, the data\xe2\x80\x99s reliability and validity would\n  not impact our conclusions or recommendation.\n\n\nReview of Internal Controls\n\n  We examined controls for ensuring appropriate IPv6 planning as required by OMB. We\n  discussed the control weakness we identified in the Results section of this report. Our\n  recommendation, if implemented, will improve the identified weakness.\n\n\n\n\nREPORT NO. IG-10-022                                                                          17\n\x0c                                                                                       APPENDIX A\n\n\n\nPrior Coverage\n\n     During the last 5 years, the Government Accountability Office (GAO) has issued two\n     reports of particular relevance to the subject of this report. Unrestricted GAO reports can\n     be accessed over the Internet at http://www.gao.gov.\n\n     \xe2\x80\x9cInternet Protocol Version 6: Federal Government in Early Stages of Transition and Key\n     Challenges Remain\xe2\x80\x9d (GAO-06-675, June 30, 2006)\n\n     \xe2\x80\x9cInternet Protocol Version 6: Federal Agencies Need to Plan for Transition and Manage\n     Security Risks\xe2\x80\x9d (GAO-05-471, May 20, 2005)\n\n\n\n\n18                                                                          REPORT NO. IG-10-022\n\x0cAPPENDIX B\n\n\n\n\n                                                                               GLOSSARY\n\n\n  American Registry for Internet Numbers. A Regional Internet Registry, the American\n  Registry for Internet Numbers is a non-profit membership organization established for\n  the administration and disruption of IP addresses in the United States, Canada, many\n  Caribbean, and North Atlantic islands.\n  (Source: https://www.arin.net/knowledge/arin_glance.pdf, accessed March 30, 2010)\n\n  Backbone. OMB M-05-22 identified \xe2\x80\x9cnetwork backbone\xe2\x80\x9d as another name for an\n  agency\xe2\x80\x99s infrastructure. OMB\xe2\x80\x99s IPv6 Frequently Asked Questions\n  (http://www.cio.gov/documents/IPv6_FAQs.pdf) document states that the backbone\n  includes the wide area network (WAN) core up to the local area network (LAN) point of\n  demarcation, describing the LAN demarcation point as the device (e.g., router or switch)\n  that services workstations. The Federal Chief Information Officers Council further\n  defined the backbone, in the Architecture and Infrastructure Committee\xe2\x80\x99s\n  \xe2\x80\x9cDemonstration Plan to Support Agency IPv6 Compliance,\xe2\x80\x9d January 28, 2008, as \xe2\x80\x9cthe\n  operational core backbone network or the set of network transport devices (routers,\n  switches) which provide the highest level of traffic aggregation in the network, and thus\n  at the highest level of hierarchy in the network.\xe2\x80\x9d\n\n  Domain Name System. DNS helps users to find their way around the Internet. Every\n  computer on the Internet has a unique IP address. Because IP addresses are a string of\n  numbers (e.g., 207.151.159.3), they are hard to remember. DNS makes using the Internet\n  easier by allowing a domain name to be used instead (e.g., www.internic.net).\n  (Source: http://www.icann.org/en/general/glossary.htm#D, accessed May 18, 2010.)\n\n  Dual-Stack. Dual-stack is a transition mechanism in which the Internet host or router is\n  capable of communicating using IPv4 and/or IPv6. The term \xe2\x80\x9cdual-stack routing\xe2\x80\x9d refers\n  to a network that is dual IP, that is to say all routers must be able to route both IPv4 and\n  IPv6. (Sources: The Architecture and Infrastructure Committee of the Federal Chief\n  Information Officers Council \xe2\x80\x9cIPv6 Transition Guidance,\xe2\x80\x9d online at\n  http://www.cio.gov/Documents/IPv6_Transition_Guidance.doc, accessed May 26, 2010;\n  and the NIST USGv6 Profile, online at http://www.antd.nist.gov/usgv6/usgv6-v1.pdf,\n  accessed May 26, 2010.)\n\n  Internet Assigned Numbers Authority. Responsible for the global coordination of\n  Internet protocol resources, the Internet Assigned Numbers Authority was originally\n  responsible for the oversight of IP address allocation, the coordination of the assignment\n  of protocol parameters provided for in Internet technical standards, and the management\n  of the DNS, including the delegation of top-level domains and oversight of the root name\n  server system. Under the Internet Corporation for Assigned Names and Numbers, it\n  continues to distribute addresses to the Regional Internet Registries, coordinate with the\n\n\nREPORT NO. IG-10-022                                                                             19\n\x0c                                                                                      APPENDIX B\n\n\n\n     Internet Engineering Task Force and others to assign protocol parameters, and oversee\n     the operation of the DNS. (Source: http://www.icann.org/en/general/glossary.htm#I,\n     accessed May 18, 2010.)\n\n     Internet Corporation for Assigned Names and Numbers. A not-for-profit public-\n     benefit corporation formed in 1998 with participants from all over the world and\n     dedicated to keeping the Internet secure, stable, and interoperable.\n     (Source: http://www.icann.org/en/about/, accessed May 19, 2010.)\n\n     Internet Engineering Task Force. This international community of network designers,\n     operators, vendors, and researchers is concerned with the evolution of the Internet\n     architecture and the smooth operation of the Internet. It is open to any interested\n     individual. (Source: http://www.ietf.org/, accessed May 18, 2010.)\n\n     Internet Protocol. The communications protocol underlying the Internet. IP allows\n     networks of computers to communicate with each other over a variety of physical links.\n     Computers on the Internet use IP addresses to route traffic and establish connections\n     among themselves; people generally use the human-friendly names made possible by the\n     Domain Name System. (Source: http://www.icann.org/en/general/glossary.htm#I,\n     accessed May 19, 2010.)\n\n     Internet Standard. An Internet Standard is a specification for using the Internet that has\n     been adopted through the Internet Standards process, an activity that is organized and\n     managed on behalf of the Internet community by the Internet Architecture Board and the\n     Internet Engineering Steering Group. In outline, the process of creating an Internet\n     Standard is straightforward: a specification undergoes a period of development and\n     several iterations of review by the Internet community and revision based on experience,\n     is adopted as a Standard by the appropriate body, and is published. (Source: Network\n     Working Group, RFC2026, BCP9, \xe2\x80\x9cThe Internet Standards Process \xe2\x80\x93 Revision 3,\xe2\x80\x9d online\n     at http://www.rfc-editor.org/rfc/bcp/bcp9.txt, accessed March 30, 2010.)\n\n     Internet Stream Protocol, Version 2 (ST2). ST2 is an experimental specification and is\n     not an Internet Standard. The \xe2\x80\x9cexperimental\xe2\x80\x9d designation typically denotes a\n     specification that is part of some research or development effort. Both ST2 and IP apply\n     the same addressing schemes to identify different hosts. ST2 differs from IP packets in\n     the first four bits, which contain the internetwork protocol version number. Because\n     number 5 is reserved for ST2, the IP version developed to replace IPv4 was assigned\n     number 6. (Sources: Network Working Group, RFC1819, \xe2\x80\x9cInternet Stream Protocol\n     Version 2 (ST2) Protocol Specification \xe2\x80\x93 Version ST2+,\xe2\x80\x9d online at http://www.rfc-\n     editor.org/rfc/rfc1819.txt, and RFC2026 or Best Current Practice 9, \xe2\x80\x9cThe Internet\n     Standards Process \xe2\x80\x93 Revision 3,\xe2\x80\x9d online at http://www.rfc-editor.org/rfc/rfc2026.txt,\n     accessed March 30, 2010.)\n\n     IP Address. A numerical address by which a location in the Internet is identified.\n     (Source: http://www.icann.org/en/general/glossary.htm#I, accessed May 19, 2010.)\n\n\n20                                                                         REPORT NO. IG-10-022\n\x0cAPPENDIX B\n\n\n\n  IP Aware. As used by OMB, an \xe2\x80\x9cIP-aware\xe2\x80\x9d device is one that is capable of recognizing\n  the Internet protocol needed to communicate over the Internet.\n\n  IPv6 Capable. OMB provides two meanings for the term \xe2\x80\x9cIPv6 capable.\xe2\x80\x9d The first\n  refers to an agency\xe2\x80\x99s network backbone being capable of successfully passing IPv6 data\n  traffic and supporting IPv6 addresses. The second refers to the technical specifications of\n  a device, such as a computer. OMB notes that the terms \xe2\x80\x9cIPv6 compliant\xe2\x80\x9d and \xe2\x80\x9cusing\n  IPv6\xe2\x80\x9d in M-05-22 are synonymous with \xe2\x80\x9cIPv6 capable.\xe2\x80\x9d (Source: OMB\xe2\x80\x99s IPv6\n  Frequently Asked Questions, online at http://www.cio.gov/documents/IPv6_FAQs.pdf,\n  accessed May 19, 2010.)\n\n  IPv6 Compliant. See \xe2\x80\x9cIPv6 Capable.\xe2\x80\x9d\n\n  IPv6 Enabled. The term \xe2\x80\x9cIPv6 enabled\xe2\x80\x9d is used to describe a network backbone that is\n  not only capable of supporting IPv6 (IPv6 capable) but is actually \xe2\x80\x9cturned on\xe2\x80\x9d \xe2\x80\x93 implying\n  that IPv6 traffic is actually successfully passing through the network. (Source: OMB\xe2\x80\x99s\n  IPv6 Frequently Asked Questions, online at\n  http://www.cio.gov/documents/IPv6_FAQs.pdf, accessed May 19, 2010.)\n\n  Network Address Translation (NAT). Network address translation is a method by\n  which IP addresses are mapped, providing transparent routing to end hosts. An address\n  realm is a network domain in which the network addresses are uniquely assigned to\n  entities such that datagrams (packets) can be routed to them. The term \xe2\x80\x9ctransparent\n  routing\xe2\x80\x9d is used here for the routing functionality that a NAT device provides, which is\n  different from the routing functionality provided by a traditional router device, which\n  routes packets within a single address realm. Transparent routing refers to routing a\n  packet between disparate address realms by modifying address contents in the IP header\n  to be valid in the address realm into which the packet is routed. The need for network\n  address translation arises when a network\xe2\x80\x99s internal IP addresses cannot be used outside\n  the network because they are invalid for use outside or the internal addressing must be\n  kept private from the external network. (Sources: Network Working Group, RFC2663,\n  \xe2\x80\x9cIP Network Address Translator (NAT) Terminology and Considerations,\xe2\x80\x9d online at\n  http://www.rfc-editor.org/rfc/rfc2663.txt and http://en.wikipedia.org/wiki/Datagram,\n  accessed May 28, 2010.)\n\n  Network Backbone. See \xe2\x80\x9cBackbone.\xe2\x80\x9d\n\n  Technology Refresh. The periodic replacement of equipment to ensure continuing\n  reliability of equipment or improved speed and capacity.\n  (Source: http://www.cryer.co.uk/glossary/t/technology_refresh.htm, accessed May 21,\n  2010.)\n\n\n\n\nREPORT NO. IG-10-022                                                                            21\n\x0c                                                                                     APPENDIX B\n\n\n\n     Transition Mechanism. Transition mechanisms ensure IPv4 and IPv6 interoperability.\n     These mechanisms are categorized in the following three broad classes: dual-stack,\n     tunnels (including configured and automatic tunnels), and translation mechanisms.\n     (Source: The Architecture and Infrastructure Committee of the Federal Chief Information\n     Officers Council \xe2\x80\x9cIPv6 Transition Guidance,\xe2\x80\x9d online at\n     http://www.cio.gov/Documents/IPv6_Transition_Guidance.doc, accessed May 26, 2010.)\n\n     Tunneling. Tunneling is a transition mechanism that encapsulates one version of IP in\n     another so the packets can be sent over a backbone that does not support the encapsulated\n     IP version. For example, when two isolated IPv6 networks need to communicate over an\n     IPv4 network, dual-stack routers at the network edges can be used to set up a tunnel that\n     encapsulates the IPv6 packets within IPv4, allowing the IPv6 systems to communicate\n     without having to upgrade the IPv4 network infrastructure that exists between the\n     networks. (Source: The Architecture and Infrastructure Committee of the Federal Chief\n     Information Officers Council \xe2\x80\x9cIPv6 Transition Guidance,\xe2\x80\x9d online at\n     http://www.cio.gov/Documents/IPv6_Transition_Guidance.doc, accessed May 26, 2010.)\n\n\n\n\n22                                                                        REPORT NO. IG-10-022\n\x0cAPPENDIX C\n\n\n\n\n                                                    GUIDANCE FOR TESTING IPV6\n                                                                 CAPABILITIES\n\n\n  One of the requirements in OMB M-05-22 was for agency infrastructures (network\n  backbones) to be IPv6 capable and to demonstrate that capability by June 30, 2008. For\n  our evaluation of NASA\xe2\x80\x99s compliance with this requirement, we reviewed the \xe2\x80\x9cNational\n  Aeronautics and Space Administration (NASA) Agencywide IPv6 - Demonstration\n  Plan,\xe2\x80\x9d June 6, 2008; NASA\xe2\x80\x99s testing documentation; and the following guidance.\n\n\nGuidance from OMB\n\n  The wording in M-05-22 led to some confusion, which OMB addressed in \xe2\x80\x9cFederal\n  Government Transition Internet Protocol Version 4 (IPv4) to Internet Protocol Version 6\n  (IPv6), Frequently Asked Questions,\xe2\x80\x9d February 15, 2006. M-05-22 (see Appendix E)\n  had stated the requirement as \xe2\x80\x9cmust be using IPv6,\xe2\x80\x9d which the IPv6 Frequently Asked\n  Questions document clarified as meaning that agencies needed to demonstrate IPv6\n  capability on their network backbones by June 30, 2008 (see the \xe2\x80\x9cIPv6 Capable\xe2\x80\x9d glossary\n  entry in Appendix B).\n\n  OMB\xe2\x80\x99s IPv6 Frequently Asked Questions document states that the backbone includes the\n  wide area network (WAN) core up to the local area network (LAN) point of demarcation,\n  describing the LAN demarcation point as the device (e.g., router or switch) that services\n  workstations. The document also stated the specific actions required to meet the\n  requirement:\n\n         Agencies must be able to demonstrate they are capable of performing at least the\n         following functions, without compromising IPv4 capability or network security:\n\n             \xe2\x80\xa2   Transmit IPv6 traffic from the Internet and external peers, through the core\n                 (WAN), to the LAN.\n\n             \xe2\x80\xa2   Transmit IPv6 traffic from the LAN, through the core (WAN), out to the\n                 Internet and external peers.\n\n             \xe2\x80\xa2   Transmit IPv6 traffic from the LAN, through the core (WAN), to another\n                 LAN (or another node on the same LAN).\n\n         The requirements for June 30, 2008 are for the network backbone (core) only.\n         Applications, peripherals, and other IT assets which are not leveraged in the\n         execution of the functions mentioned above are not required for the June 30, 2008\n         deadline.\n\n\n\n\nREPORT NO. IG-10-022                                                                            23\n\x0c                                                                                                      APPENDIX C\n\n\n\n                Agencies should verify this new capability through testing activities. Agencies are\n                required to maintain security during and after adoption of IPv6 technology into the\n                network core.\n\n\nGuidance from the Federal Chief Information Officers Council\n\n     In January 2008, the requirements stated in OMB\xe2\x80\x99s IPv6 Frequently Asked Questions\n     document were restated in the \xe2\x80\x9cDemonstration Plan to Support Agency IPv6\n     Compliance\xe2\x80\x9d issued by the Architecture and Infrastructure Committee, Federal Chief\n     Information Officers Council. The document\xe2\x80\x99s purpose was to provide guidance and\n     describe procedures to demonstrate IPv6 compliance, which it stated as showing \xe2\x80\x9cthat\n     IPv6 traffic has been successfully transported (i.e., received, processed, forwarded)\n     through all IPv6 devices in an Agency\xe2\x80\x99s operational core backbone network.\xe2\x80\x9d\n\n     Specifically, the Demonstration Plan stated that agencies must successfully demonstrate\n     the following functions in order to be compliant with OMB\xe2\x80\x99s requirement:\n            \xe2\x80\xa2   Transmit IPv6 traffic from the Internet and external peers, through the network\n                backbone (core), to the LAN. 21\n            \xe2\x80\xa2   Transmit IPv6 traffic from the LAN, through the network backbone (core), out to\n                the Internet and external peers.\n            \xe2\x80\xa2   Transmit IPv6 traffic from the LAN, through the network backbone (core), to\n                another LAN (or another node on the same LAN).\n\n\n\n\n     21\n          The Demonstration Plan defined the term \xe2\x80\x9cLAN\xe2\x80\x9d for demonstration purposes as representing\n          \xe2\x80\x9cIPv6-configured PCs/Laptops (with associated cabling and switching as needed), directly connected\n          to IPv6 devices (routers, switches) in an Agency\xe2\x80\x99s operational core backbone network.\xe2\x80\x9d\n\n\n\n24                                                                                      REPORT NO. IG-10-022\n\x0cAPPENDIX D\n\n\n\n\n                                                REQUIREMENTS AND GUIDANCE\n                                                     FOR A TRANSITION PLAN\n\n\n  For our evaluation of NASA\xe2\x80\x99s plans and efforts toward IPv6 transition and integration,\n  we reviewed the following requirements and guidance to determine compliance for an\n  appropriate transition plan.\n\n\nOMB Requirements for a Transition Plan\n\n  OMB Memorandum M-05-22, \xe2\x80\x9cTransition Planning for Internet Protocol Version 6\n  (IPv6),\xe2\x80\x9d August 2, 2005, requires agencies to address each of the actions in Attachment C\n  in the agency\xe2\x80\x99s IPv6 transition plan using the transition guidance issued by the Federal\n  Chief Information Officers Council Architecture and Infrastructure Committee.\n\n  Following is the attachment from M-05-22:\n         Attachment C: Transition Activities (Notional Summary of CIO Council\n                       Guidance)\n\n         The CIO Council will develop additional transition guidance as necessary\n         covering the following actions. To the extent agencies can address these actions\n         now, they should do so. Beginning February 2006, agencies\xe2\x80\x99 transition activity\n         will be evaluated using OMB\xe2\x80\x99s Enterprise Architecture Assessment Framework:\n\n             \xe2\x80\xa2   Conduct a requirements analysis to identify current scope of IPv6 within\n                 an agency, current challenges using IPv4, and target requirements.\n             \xe2\x80\xa2   Develop a sequencing plan for IPv6 implementation, integrated with\n                 your agency Enterprise Architecture.\n             \xe2\x80\xa2   Develop IPv6-related policies and enforcement mechanisms.\n             \xe2\x80\xa2   Develop training material for stakeholders.\n             \xe2\x80\xa2   Develop and implement a test plan for IPv6\n                 compatibility/interoperability.\n             \xe2\x80\xa2   Deploy IPv6 using a phased approach.\n             \xe2\x80\xa2   Maintain and monitor networks.\n             \xe2\x80\xa2   Update IPv6 requirements and target architecture on an ongoing basis.\n\n\n\n\nREPORT NO. IG-10-022                                                                          25\n\x0c                                                                                     APPENDIX D\n\n\n\nGuidance for Elements in the Transition Plan\n\n     IPv6 Transition Guidance. The Architecture and Infrastructure Committee of the\n     Federal Chief Information Officers Council issued \xe2\x80\x9cIPv6 Transition Guidance\xe2\x80\x9d in\n     February 2006, providing additional guidance to implement requirements of OMB\n     M-05-22. The \xe2\x80\x9cIPv6 Transition Guidance\xe2\x80\x9d provides detailed \xe2\x80\x9cbest practices\xe2\x80\x9d and\n     recommendations to any Federal Government agency introducing IPv6 into its network\n     environment. The Guidance includes a list of elements that could be used as the basis for\n     an IPv6 transition plan. Although agencies were not required to include all of the\n     elements in their transition plans, OMB recommended that each agency cross-check its\n     plan against this list to ensure that all transition elements had been considered.\n\n        1.  Identification of strategic business objectives.\n        2.  Identification of transition priorities.\n        3.  Identification of transition activities.\n        4.  Transition milestones.\n        5.  Transition criteria for legacy, upgraded, and new capabilities.\n        6.  Means for adjudicating claims that an asset should not transition in prescribed\n            timeframes.\n        7. Technical strategy and selection of transition mechanisms to support IPv4/IPv6\n            interoperability.\n        8. Management and assignment of resources for transition.\n        9. Maintenance of interoperability and security during transition.\n        10. Use of IPv6 standards and products.\n        11. Support for IPv4 infrastructure during and after 2008 IPv6 network backbone\n            deployment.\n        12. Application migration (if required to support backbone transition).\n        13. Costs not covered by technology refresh.\n        14. Transition governance:\n                a. Policy\n                b. Roles and responsibilities\n                c. Management structure\n                d. Performance measurement\n                e. Reporting\n        15. Acquisition and procurement.\n        16. Training.\n        17. Testing.\n\n\n\n\n26                                                                        REPORT NO. IG-10-022\n\x0cAPPENDIX D\n\n\n\n  IPv6 Planning Guide. In May 2009, the Architecture and Infrastructure Committee of\n  the Federal Chief Information Officers Council issued the \xe2\x80\x9cPlanning Guide/Roadmap\n  Toward IPv6 Adoption within the U.S. Government,\xe2\x80\x9d which lists elements that must be\n  included in the transition strategy plan.\n\n      1. Identification of transition priorities.\n      2. Identification of transition activities.\n      3. Transition milestones.\n      4. Transition criteria for legacy, upgraded, and new capabilities.\n      5. Dependencies.\n      6. Risks and mitigation strategies.\n      7. Maintenance of interoperability and security during transition.\n      8. Use of the NIST USGv6 Profile to express IPv6 capability requirements for\n         specific products.\n      9. Transition governance:\n            \xe2\x80\xa2 Policy\n            \xe2\x80\xa2 Roles and responsibilities\n            \xe2\x80\xa2 Management structure\n            \xe2\x80\xa2 Performance measurement\n            \xe2\x80\xa2 Reporting\n            \xe2\x80\xa2 Management actions\n      10. Training.\n      11. Testing.\n\n\n\n\nREPORT NO. IG-10-022                                                                    27\n\x0c               APPENDIX E\n\n\n\n\n     OMB M-05-22\n\n\n\n\n28    REPORT NO. IG-10-022\n\x0cAPPENDIX E\n\n\n\n\nREPORT NO. IG-10-022   29\n\x0c              APPENDIX E\n\n\n\n\n30   REPORT NO. IG-10-022\n\x0cAPPENDIX F\n\n\n\n\n                       MANAGEMENT COMMENTS\n                                             Final Report\n                                              Reference\n\n\n\n\n                                             changed\n\n\n\n\nREPORT NO. IG-10-022                          31\n\x0c                        APPENDIX F\n\n\n\n\nFinal Report\n  Reference\n\n\n\n\n   page 17\n  footnote\n  added in\n next para-\n graph for\n    clarity\n\n  changed\n\n\n\n\n  page 15\n  page 17\n  changed\n\n\n\n\n       32      REPORT NO. IG-10-022\n\x0cAPPENDIX F\n\n\n\n\nREPORT NO. IG-10-022   33\n\x0c                                                                              APPENDIX G\n\n\n\n\n                                                       REPORT DISTRIBUTION\n\nNational Aeronautics and Space Administration\n\n     Administrator\n     Deputy Administrator\n     Chief of Staff\n     Chief Information Officer\n     Ames Research Center Chief Information Officer\n     Dryden Flight Research Center Chief Information Officer\n     Glenn Research Center Chief Information Officer\n     Goddard Space Flight Center Chief Information Officer\n     Jet Propulsion Laboratory Chief Information Officer\n     Johnson Space Center Chief Information Officer,\n     Director of Information Technology and Communication Services, Kennedy Space\n       Center\n     Langley Research Center Chief Information Officer\n     Marshall Space Flight Center Chief Information Officer\n     Stennis Space Center Chief Information Officer\n\nNon-NASA Organizations and Individuals\n\n     Office of Management and Budget\n        Deputy Associate Director, Energy and Science Division\n            Branch Chief, Science and Space Programs Branch\n     Government Accountability Office\n        Director, NASA Financial Management, Office of Financial Management and\n           Assurance\n        Director, NASA Issues, Office of Acquisition and Sourcing Management\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Member\n\n     Senate Committee on Appropriations\n        Subcommittee on Commerce, Justice, Science, and Related Agencies\n     Senate Committee on Commerce, Science, and Transportation\n        Subcommittee on Science and Space\n     Senate Committee on Homeland Security and Governmental Affairs\n\n\n\n\n34                                                                   REPORT NO. IG-10-022\n\x0cAPPENDIX G\n\n\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Member (continued)\n\n  House Committee on Appropriations\n     Subcommittee on Commerce, Justice, Science, and Related Agencies\n  House Committee on Oversight and Government Reform\n     Subcommittee on Government Management, Organization, and Procurement\n  House Committee on Science and Technology\n     Subcommittee on Investigations and Oversight\n     Subcommittee on Space and Aeronautics\n\n\n\n\nREPORT NO. IG-10-022                                                        35\n\x0c\x0cMajor Contributors to the Report:\n   Wen Song, Director, Information Technology Directorate\n   Mindy Vuong, Project Manager\n   Linda Hargrove, Team Lead\n   Deirdre Beal, Auditor\n   Scott Riggenbach, Auditor\n\n\n\n\nREPORT NO. IG-10-022                                        37\n\x0c                                                                                   SEPTEMBER 9, 2010\n                                                                        REPORT No. IG-10-022\n\n\n\n\n                                                                                 OFFICE OF AUDITS\n\n                                                                 OFFICE OF INSPECTOR GENERAL\n\n\n\n\nADDITIONAL COPIES\nVisit http://oig.nasa.gov/audits/reports/FY10/ to obtain additional copies of this report, or contact the\nAssistant Inspector General for Audits at 202-358-1232.\n\nCOMMENTS ON THIS REPORT\nIn order to help us improve the quality of our products, if you wish to comment on the quality or\nusefulness of this report, please send your comments to Mr. Laurence Hawkins, Audit Operations and\nQuality Assurance Director, at Laurence.B.Hawkins@nasa.gov or call 202-358-1543.\n\nSUGGESTIONS FOR FUTURE AUDITS\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for Audits.\nIdeas and requests can also be mailed to:\n      Assistant Inspector General for Audits\n      NASA Headquarters\n      Washington, DC 20546-0001\n\nNASA HOTLINE\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at 800-424-9183 or\n800-535-8134 (TDD). You may also write to the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant\nPlaza Station, Washington, DC 20026, or use http://oig.nasa.gov/hotline.html#form. The identity of\neach writer and caller can be kept confidential, upon request, to the extent permitted by law.\n\x0c'